dinogun
commented
5 years ago @dnwe Thanks for the heads up. I see that openj9 does use regexec which suffers from this vulnerability. (only in the linuxs390 arch though). Also one of the tests in omr uses it but not in the omr code itself. Upgrading to 2.29-r0 for now. Will upgrade once the vulnerability is fixed in the Alpine port.
As per the details below, there's a been a recent (CVSS Base Score: 7.3) CVE in glibc relating to regular-expression execution. This has been fixed in their master repo, but is not yet available in a released version of glibc. I have two questions, 1) are we aware if the IBM Java runtime ever drives this functionality in glibc and hence whether or not it is in any way vulnerable to an exploit? and 2) currently ibmjava is still only pulling in glibc 2.25 from sgerrand/alpine-pkg-glibc – are there any plans to keep this up-to-date with the newer releases?
Description
In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142 https://sourceware.org/bugzilla/show_bug.cgi?id=24114 https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9